Compliance Briefing — October 1, 2025
Maryland’s Online Data Privacy Act (MODPA) takes effect on October 1, 2025, forcing consumer-facing organizations to document data minimization, honor universal opt-out signals, and obtain consent for processing youth data.
Executive briefing: The Maryland Online Data Privacy Act of 2024 (SB 541) becomes enforceable on October 1, 2025. Controllers that conduct business in Maryland or target its residents must apply data minimization, limit retention to what is reasonably necessary, and secure opt-in consent before processing the personal data of individuals under 18 for targeted advertising or sales. Enforcement authority rests with the Maryland Attorney General, who can seek injunctions and penalties of up to $10,000 per violation.
Key compliance checkpoints
- Data minimization and purpose limits. Document processing purposes, retention periods, and deletion triggers for all personal data collected from Maryland residents, ensuring operations stay within the “reasonably necessary and proportionate” test codified in Section 14-4204.
- Sensitive data controls. Capture explicit consent before processing geolocation, biometric identifiers, or precise health data, and maintain records of consent withdrawal to satisfy Section 14-4205.
- Youth protections. Block targeted advertising to minors under 18 unless verified opt-in consent is obtained from the minor (13–17) or a parent/guardian (under 13), and prevent any sale of minors’ personal data.
Operational priorities
- Inventory Maryland exposure. Flag Maryland residency indicators in customer data platforms and identity graphs so consent and opt-out preferences apply consistently across channels.
- Universal opt-out integration. Ensure consent management platforms recognise global privacy control (GPC) and other universal opt-out mechanisms, and propagate suppression lists to advertising and data-sharing partners.
- Revise processor agreements. Update vendor contracts with MODPA-specific obligations covering deletion support, sub-processor approvals, and audit cooperation.
Enablement moves
- Launch a MODPA-specific playbook that maps state obligations against existing Virginia, Colorado, and Connecticut privacy controls to reuse evidence.
- Brief executive leadership on enforcement posture, including coordination with multistate AG investigations and FTC unfair practices actions.
Sources
- Maryland Online Data Privacy Act of 2024 (SB 541)
- Maryland Attorney General: MODPA signing announcement
- Holland & Knight: Maryland enacts the most restrictive state privacy law
Zeph Tech orchestrates MODPA compliance by integrating consent telemetry, cross-state privacy reporting, and regulator-ready evidence trails.